The Indian fintech sector has received over USD 2 billion in investments in 2021 as of August 2021, which is USD 411 million more than the investments received in 2020.1 The value of transactions through digital modes such as Unified Payments Interface ("UPI") and payments through cards, also continue to grow at record rates.2

n line with the policy objective of consumer protection and to make digital payment systems more secure and convenient for consumers, the Reserve Bank of India ("RBI") has introduced some important changes to the extant guidelines for digital wallets, recurring payments and tokenisation, and has also introduced new outsourcing norms for operators of payment systems to bring them at par with banks and non-banking financial companies ("NBFCs").

This newsletter highlights the key developments in the Indian fintech space from July 01, 2021 to September 30, 2021.


Prepaid Payment Instruments

The RBI, on August 27, 2021, has issued a fresh set of Master Directions on Prepaid Payment Instruments ("New PPI Guidelines"),3 introducing some key changes to the erstwhile regulatory framework viz. the 'Master Direction on Issuance and Operation of Prepaid Payment Instruments' dated October 11, 2017.

The New PPI Guidelines have overhauled the existing prepaid payment instruments ("PPIs") framework and has simplified the categorisation of PPIs into two limited categories of 'small PPIs' and 'full-KYC PPIs', both of which can be issued by banks and non-bank entities. Small PPIs, that only require minimum details of the PPI holder, can be used only for the purchase of goods and services from an identified group of merchants (that have a specific contract with the PPI issuer or contract through a payment aggregator or payment gateway), and such PPIs cannot be used for cash withdrawals or fund transfers. On the other hand, full-KYC PPIs, that require the entire KYC process of the PPI holder to be completed, are not restricted for use at an identified group of merchants and allow for cash withdrawals and fund transfers back to the source account (subject to certain prescribed limits) which is similar to the earlier open system PPIs. Closed system PPIs continue to remain outside the ambit of the New PPI Guidelines.

Amongst many other changes introduced in the New PPI Guidelines, the RBI has: (a) reiterated its objective to mandate interoperability for full-KYC PPIs as per its earlier directions (and identified the role of the NPCI and authorised card networks in this regard); (b) allowed the use of video-based identification processes for customer onboarding – both for the issuance of full-KYC PPIs and to convert small PPIs to full-KYC PPIs; and (c) introduced norms for escrow account management, information security measures, and customer grievance redressal, to be followed by PPI issuers (in line with the RBI's guidelines for non-bank payment aggregators).

The above development aimed at simplifying the regime for PPIs and creating a level playing field between bank and non-bank issuers, reinforces RBI's objective of driving financial inclusion through PPIs given its high degree of penetration across smartphone users in India, while simultaneously increasing consumer protection safeguards for PPI transactions. 

New regulatory norms for outsourcing by nonbank payment system operators

To mitigate and effectively manage the risks involved in the outsourcing of payment and settlement-related activities by non-bank payment systemi operators ("PSOs"), the RBI has issued a new regulatory framework for outsourcing of such activities by PSOs ("Outsourcing Framework").4 Crucially, PSOs have been prohibited from the outsourcing of certain 'core management functions' (such as risk management, internal audit, and determining compliance with KYC norms).

PSOs must necessarily comply with certain minimum criteria in their outsourcing arrangements with entities in India and abroad. In particular, these arrangements must reflect the PSO's supervisory oversight in ensuring compliance with RBI's norms, framing a board-approved outsourcing policy, conducting a due diligence, confidentiality and security of data norms, additional requirements for off-shore outsourcing, amongst other obligations. Importantly, incidental activities like onboarding customers and IT-based services have been construed as 'payment and settlement-related' services which can be outsourced. The RBI has reserved the ultimate responsibility and liability of the PSOs (together with their senior management), with respect to the outsourced activity and actions of the service provider.

The Outsourcing Framework brings non-bank PSOs at par with banks and NBFCs (that so far have been following similar outsourcing norms) and underpins the growing importance of non-bank PSOs in the digital payments ecosystem in India. PSOs will also need to undertake a re-assessment of their outsourcing arrangements (current and prospective), to ensure compliance with the Outsourcing Framework by the deadline of March 31, 2022.

To view the full article, please click here.







The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.